Потрібно перевірити чи в /etc/httpd/conf/httpd.conf підключений модуль mod_authnz_ldap:
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
Налаштування httpd.conf використовуючи авторизацію через Ldap:
..
...
"Directory /var/www/html"
AuthType Basic
AuthName "SS Web Site: Login use your logname"
AuthBasicProvider ldap
AuthLDAPBindDN "CN=user,OU=Users and Groups,OU=Service Admins,OU=Service Accounts,DC=domain,DC=com"
AuthLDAPBindPassword "secret1"
AuthLDAPURL "ldap://server:389/OU=domain,DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)"
AuthzLDAPAuthoritative on
require ldap-user user1 user2
/Directory
...
..
або наступна конфігурація:
..
...
Directory /var/www/html
Order deny,allow
Deny from All
AuthType Basic
AuthName "Stooges Web Site: Login with user id"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL ldap://ldap.your-domain.com:389/o=stooges?uid?sub
AuthLDAPBindDN "cn=StoogeAdmin,o=stooges"
AuthLDAPBindPassword "secret1"
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require ldap-group "cn=users,ou=group,o=stooges"
Require ldap-attribute gidNumber=100
Satisfy any
/Directory
...
..
Обмеження доступу можна використовуючи наступні правила:
* Require ldap-user
* Require ldap-group
* Require ldap-dn
* Require ldap-attribute
* Require ldap-filter
require valid-user Allow all users if authentication (password) is correct.
require user greg phil bob Allow only greg phil bob to login.
require group accounting Allow only users in group "accounting" to authenticate.
Apache can use both File and LDAP authentication concurently.
This is sometimes required to run cron jobs with a login
where you do not want to use a system login
or login managed by a directory server in another department.
location /svnroot/projects
DAV svn
AuthBasicProvider file ldap
SVNParentPath /svnroot/projects
#AuthLDAPAuthoritative off
AuthType Basic
AuthzSVNAccessFile /svnroot/projects/.authz
AuthGroupFile /dev/null
AuthName "Subversion Repository"
AuthLDAPBindDN "CN=user1,OU=admins,OU=users,DC=domain,DC=com"
AuthLDAPBindPassword "===="
AuthLDAPURL "ldap://server:389/OU=users,DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)"
AuthUserFile /svnroot/.passwd
Require valid user
/Location
Note:
AuthBasicProvider file ldap - Check password "file" authentication then LDAP AuthBasicAuthoritative off - Allows fall back to another auth scheme, in this case LDAP AuthzLDAPAuthoritative off - Allows fall back to other auth scheme besides LDAP, in this case file
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
Налаштування httpd.conf використовуючи авторизацію через Ldap:
..
...
"Directory /var/www/html"
AuthType Basic
AuthName "SS Web Site: Login use your logname"
AuthBasicProvider ldap
AuthLDAPBindDN "CN=user,OU=Users and Groups,OU=Service Admins,OU=Service Accounts,DC=domain,DC=com"
AuthLDAPBindPassword "secret1"
AuthLDAPURL "ldap://server:389/OU=domain,DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)"
AuthzLDAPAuthoritative on
require ldap-user user1 user2
/Directory
...
..
або наступна конфігурація:
..
...
Directory /var/www/html
Order deny,allow
Deny from All
AuthType Basic
AuthName "Stooges Web Site: Login with user id"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL ldap://ldap.your-domain.com:389/o=stooges?uid?sub
AuthLDAPBindDN "cn=StoogeAdmin,o=stooges"
AuthLDAPBindPassword "secret1"
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require ldap-group "cn=users,ou=group,o=stooges"
Require ldap-attribute gidNumber=100
Satisfy any
/Directory
...
..
Обмеження доступу можна використовуючи наступні правила:
* Require ldap-user
* Require ldap-group
* Require ldap-dn
* Require ldap-attribute
* Require ldap-filter
require valid-user Allow all users if authentication (password) is correct.
require user greg phil bob Allow only greg phil bob to login.
require group accounting Allow only users in group "accounting" to authenticate.
Apache can use both File and LDAP authentication concurently.
This is sometimes required to run cron jobs with a login
where you do not want to use a system login
or login managed by a directory server in another department.
location /svnroot/projects
DAV svn
AuthBasicProvider file ldap
SVNParentPath /svnroot/projects
#AuthLDAPAuthoritative off
AuthType Basic
AuthzSVNAccessFile /svnroot/projects/.authz
AuthGroupFile /dev/null
AuthName "Subversion Repository"
AuthLDAPBindDN "CN=user1,OU=admins,OU=users,DC=domain,DC=com"
AuthLDAPBindPassword "===="
AuthLDAPURL "ldap://server:389/OU=users,DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)"
AuthUserFile /svnroot/.passwd
Require valid user
/Location
Note:
AuthBasicProvider file ldap - Check password "file" authentication then LDAP AuthBasicAuthoritative off - Allows fall back to another auth scheme, in this case LDAP AuthzLDAPAuthoritative off - Allows fall back to other auth scheme besides LDAP, in this case file
Коментарі